Use the Work Plan in an investigation - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation

Product
Cortex XSOAR
Version
8
Creation date
2024-03-07
Last date published
2024-11-28
Category
Administrator Guide
Solution
Cloud
Abstract

A Work Plan is a visual representation of the running playbook that is assigned to an incident. Use it to monitor and manage a playbook workflow.

The Work Plan is a visual representation of the running playbook assigned to the incident. Playbooks enable you to automate many security processes, such as managing your investigations and handling tickets. Work Plans enable you to monitor and manage a playbook workflow, and add new tasks to tailor the playbook to a specific investigation.

In an investigation, when you open the Work Plan tab you can see the playbook, the playbook name, and navigation tools.

By default, the Follow checkbox is checked, which allows you to see the playbook executing in real-time. The playbook moves when a task is completed.

In the Work Plan you can do the following:

Action

Description

Change the default playbook

On the left-hand side of the window, select the playbook you want to run.

When changing the playbook, all completed tasks are removed and the new playbook will run. If you select playbooks several times you can view the history of which playbooks ran.

Rerun the playbook

When changing the playbook, select the current playbook to run again.

View inputs and outputs

View the inputs and outputs of each task that has run. You can't view inputs and outputs of any task that hasn't run.

Manage tasks

View, create, and edit a playbook task. For each task, you can do the following:

  • Designate tasks as complete either manually or by running a script.

  • Assign an owner

  • Set a due date

  • Add comments and completed notes, as required.

You can manage these tasks in the CLI by using the /task command. For more information about tasks, see Incident Tasks.

Export to a PNG

Export the Work plan to a PNG format for easy analysis.

Example 27. 

For a phishing investigation, after the initial playbook run parses the email and extracts email addresses, as part of the manual investigation, you could use the Email Address Enrichment - Generic v2.1 playbook as an ad-hoc playbook task to get more information about these email addresses.


The color coding and symbols in the Work Plan help you to easily troubleshoot errors or respond to manual steps. The following table displays the playbook tasks and icons in the Work Plan.

Task

Description

standard-automated-task.png

Standard automated task

The arrow and lightning bolt indicate a standard automated task. This task does not require any analyst intervention. They turn green automatically if they are successful.

standard-task.png

Standard manual task

The arrow indicates a standard manual task. These tasks are used where usually it's not possible to automate them. You can add comments, assign them to an owner, and set a due date.

You need to complete it before the Work Plan can continue.

conditional-task.png

Conditional task

The diamond indicates a conditional task, which is either an automated conditional task (with the lightning bolt) or a manual conditional task. These tasks are used as decision trees in your work plan.

data-collection-task.png

Data collection task

The speech bubble indicates a data-collection task. This task prompts you to respond to multi-questions.

active-task.png

Active task

The gear icon indicates an active task.

completed-task.png

Completed task

The green check mark indicates a completed task.

overdue-task.png

Overdue task

The clock icon indicates the task is overdue.

prending-manual-task.png

Pending manual task

The orange user icon indicates that the playbook is pending action. The task requires you to open it and manually mark it as complete.

failed-task.png

Failed task

The red warning icon indicates that the automation failed to complete as expected and requires manual inspection and troubleshooting. Contact your Cortex XSOAR administrator.

missing-task.png

Skipped missing content

The skipped task due to missing content, such as a missing integration.

sub-playbook-task.png

Sub-playbook task

The workflow icon indicates that the task is a playbook nested within the parent playbook. You can view that playbook by opening the task and selecting Open sub-playbook.

deprecated-task.png

Task containing a deprecated script

The yellow warning indicates that the associated automation is deprecated. Deprecation means that the automation script is still available within the system but is no longer actively supported by the script author.